# sfXssSafePlugin - Output Rich Text With Cross Site Scripting Protection

## Overview

Between the `ESC_RAW` and `ESC_HTMLENTITIES`, symfony lacks one escaping level allowing to strip dangerous HTML code but leave the tags that just structure a content or apply a format to it.

The `sfXssSafePlugin` allows to clean a string to prevent XSS attacks. It provides a new escaping strategy, `ESC_XSSSAFE`, to escape tainted HTML strings entered by users. This escaping strategy removes all "dangerous" tags and attributes but keeps the safe ones. The plugin embarks the [HTML Putifier](http://htmlpurifier.org/) library and is fully unit-tested.

## Installation

  * Install the plugin
    
    > symfony plugin-install http://plugins.symfony-project.com/sfXssSafePlugin
    

  * Alternatively, if you don't have PEAR installed, you can download the latest package attached to this plugin's wiki page and extract it under your project's `plugins/` directory

## Usage

First of all, your application escaping strategy must be set to `both` or `on` to use this plugin. Check your `settings.yml` for the `escaping_strategy` parameter.

Include the helper in the templates where you want to use the new escaping strategy:
    
    <?php use_helper('XssSafe') ?>
    

As explained in the [symfony book](http://www.symfony-project.org/book/1_0/07-Inside-the-View-Layer#Escaping%20Arrays%20and%20Objects), the methods of escaped objects accept an additionnal parameter for the escaping strategy. In addition to the core `ESC_HTMLENTITIES` and `ESC_RAW`, you can now use the `ESC_XSSSAFE` strategy.

    
    // In the action 
    $this->post->setContent('this is not nice <script>alert("XSS");</script>');
    
    // In the template
    <?php echo $post->getContent(ESC_XSSSAFE); ?>
     => 'this is not nice'
    

## Configuration

You can change the HTML Purifier configuration in your application's `app.yml` file, under the `sfXssSafePlugin` section. Refer to the plugin's `app.sample.yml` and to the [HTML Purifier documentation](http://htmlpurifier.org/live/configdoc/plain.html) for further information.

Here is the default configuration used by the plugin if you don't add anything to your `app.yml`:

    
    all:
      sfXssSafePlugin:
        definition:
        
          HTML:
            TidyLevel:              medium   # Values : "none", "light", "medium", "heavy"
            Doctype:                null     # Accepts valid Doctypes, like 'XHTML 1.0 Transitional'
            Trusted:                false
    
          Core:
            Encoding:               UTF-8    # This directive only accepts ISO-8859-1 if iconv is not enabled
            RemoveInvalidImg:       true
            EscapeInvalidChildren:  false
            EscapeInvalidTags:      false
            ColorKeywords:
              maroon:               '#800000'
              red:                  '#FF0000'
              orange:               '#FFA500'
              yellow:               '#FFFF00'
              olive:                '#808000'
              purple:               '#800080'
              fuchsia:              '#FF00FF'
              white:                '#FFFFFF'
              lime:                 '#00FF00'
              green:                '#008000'
              navy:                 '#000080'
              blue:                 '#0000FF'
              aqua:                 '#00FFFF'
              teal:                 '#008080'
              black:                '#000000'
              silver:               '#C0C0C0'
              gray:                 '#808080'
    
          CSS:
            AllowImportant:         false
    
          Filter:
            YouTube:                false    # Allow YouTube video embeded
    
          AutoFormat:
            AutoParagraph:          false
    
          URI:
            Disable:                false
            DisableExternal:        false
    
          Output:
            TidyFormat:             false
    

## Changelog

### 2008-05-19 | 0.5.0 Beta

  * amogere: Initial version